From 84c95826de5957fef5f75a50e97e662193be080d Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 4 Jan 2012 16:51:14 +0000 Subject: [PATCH] Submitted by: Robin Seggelmann , Michael Tuexen Reviewed by: steve Fix for DTLS plaintext recovery attack discovered by Nadhem Alfardan and Kenny Paterson. --- CHANGES | 14 ++++++++++++++ ssl/d1_pkt.c | 26 ++++++++++++++++---------- 2 files changed, 30 insertions(+), 10 deletions(-) diff --git a/CHANGES b/CHANGES index 67cedf04c9..b182536392 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,20 @@ Changes between 1.0.0e and 1.0.0f [xx XXX xxxx] + *) Nadhem Alfardan and Kenny Paterson have discovered an extension + of the Vaudenay padding oracle attack on CBC mode encryption + which enables an efficient plaintext recovery attack against + the OpenSSL implementation of DTLS. Their attack exploits timing + differences arising during decryption processing. A research + paper describing this attack can be found at: + http://www.isg.rhul.ac.uk/~kp/dtls.pdf + Thanks go to Nadhem Alfardan and Kenny Paterson of the Information + Security Group at Royal Holloway, University of London + (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann + and Michael Tuexen + for preparing the fix. (CVE-2011-4108) + [Robin Seggelmann, Michael Tuexen] + *) Clear bytes used for block padding of SSL 3.0 records. (CVE-2011-4576) [Adam Langley (Google)] diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index 39aac73e10..e0c0f0cc9a 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -375,6 +375,7 @@ dtls1_process_record(SSL *s) SSL3_RECORD *rr; unsigned int mac_size; unsigned char md[EVP_MAX_MD_SIZE]; + int decryption_failed_or_bad_record_mac = 0; rr= &(s->s3->rrec); @@ -409,13 +410,10 @@ dtls1_process_record(SSL *s) enc_err = s->method->ssl3_enc->enc(s,0); if (enc_err <= 0) { - /* decryption failed, silently discard message */ - if (enc_err < 0) - { - rr->length = 0; - s->packet_length = 0; - } - goto err; + /* To minimize information leaked via timing, we will always + * perform all computations before discarding the message. + */ + decryption_failed_or_bad_record_mac = 1; } #ifdef TLS_DEBUG @@ -445,7 +443,7 @@ printf("\n"); SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); goto f_err; #else - goto err; + decryption_failed_or_bad_record_mac = 1; #endif } /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ @@ -456,17 +454,25 @@ printf("\n"); SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); goto f_err; #else - goto err; + decryption_failed_or_bad_record_mac = 1; #endif } rr->length-=mac_size; i=s->method->ssl3_enc->mac(s,md,0); if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0) { - goto err; + decryption_failed_or_bad_record_mac = 1; } } + if (decryption_failed_or_bad_record_mac) + { + /* decryption failed, silently discard message */ + rr->length = 0; + s->packet_length = 0; + goto err; + } + /* r->length is now just compressed */ if (s->expand != NULL) {